Severity by source
AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
File must be opened locally (AV:L, UI:R); the opening user needs no special privilege so PR:N (contra Adobe's PR:H); code runs in current user context so S:U with full C/I/A impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Animate is affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run OS commands in the context of the current user when a victim opens a maliciously crafted file. The flaw is an OS command injection (CWE-78) with no public exploit identified at time of analysis and no active exploitation reported in CISA KEV; risk hinges on social-engineering a user into opening the file. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim running Adobe Animate 2023 or 2024 to open a specifically crafted malicious file (UI:R) locally (AV:L); the attacker cannot trigger it remotely without that user action. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to moderate, socially-gated risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Adobe Animate project or asset file with embedded command-injection payload and delivers it via email, chat, or a download link, relying on social engineering. When the victim opens the file in Animate 2023 or 2024, the embedded payload is passed to an OS command interpreter and executes arbitrary commands in the victim's user context. … |
| Remediation | Apply the updates referenced in Adobe security bulletin APSB26-83 (https://helpx.adobe.com/security/products/animate/apsb26-83.html) for Adobe Animate 2023 and 2024; the exact fixed build numbers are listed in that advisory and should be pulled directly from it rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running Adobe Animate 2023 or 2024 and alert users to avoid opening files from untrusted sources; block email delivery of file types commonly used with Animate (XFL, ANI) from external senders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Animate 2023
View allArbitrary code execution in Adobe Animate 2023 and 2024 stems from a path traversal weakness triggered when a victim ope
Arbitrary code execution in Adobe Animate 2023 and 2024 allows an attacker to run commands in the context of the current
Arbitrary code execution in Adobe Animate 2023 and 2024 stems from an incorrect authorization (CWE-863) weakness that le
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a
Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an Incorrect Authorization flaw (CWE-863) that lets
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44439
GHSA-8m86-2cxp-pw9w